|
suricata
|
|
suricata
|
Go to the source code of this file.
Typedefs | |
| typedef struct AppLayerProtoDetectThreadCtx_ | AppLayerProtoDetectThreadCtx |
| typedef AppProto(* | ProbingParserFPtr) (Flow *f, uint8_t *input, uint32_t input_len) |
Functions | |
| AppProto | AppLayerProtoDetectGetProto (AppLayerProtoDetectThreadCtx *tctx, Flow *f, uint8_t *buf, uint32_t buflen, uint8_t ipproto, uint8_t direction) |
| Returns the app layer protocol given a buffer. More... | |
| int | AppLayerProtoDetectPrepareState (void) |
| Prepares the internal state for protocol detection. This needs to be called once all the patterns and probing parser ports have been registered. More... | |
| void | AppLayerProtoDetectPPRegister (uint8_t ipproto, const char *portstr, AppProto alproto, uint16_t min_depth, uint16_t max_depth, uint8_t direction, ProbingParserFPtr ProbingParser1, ProbingParserFPtr ProbingParser2) |
| register parser at a port More... | |
| int | AppLayerProtoDetectPPParseConfPorts (const char *ipproto_name, uint8_t ipproto, const char *alproto_name, AppProto alproto, uint16_t min_depth, uint16_t max_depth, ProbingParserFPtr ProbingParserTs, ProbingParserFPtr ProbingParserTc) |
| int | AppLayerProtoDetectPMRegisterPatternCS (uint8_t ipproto, AppProto alproto, const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction) |
| Registers a case-sensitive pattern for protocol detection. More... | |
| int | AppLayerProtoDetectPMRegisterPatternCI (uint8_t ipproto, AppProto alproto, const char *pattern, uint16_t depth, uint16_t offset, uint8_t direction) |
| Registers a case-insensitive pattern for protocol detection. More... | |
| int | AppLayerProtoDetectSetup (void) |
| The first function to be called. This initializes a global protocol detection context. More... | |
| void | AppLayerProtoDetectReset (Flow *) |
| Reset proto detect for flow. More... | |
| void | AppLayerRequestProtocolChange (Flow *f, uint16_t dp, AppProto expect_proto) |
| request applayer to wrap up this protocol and rerun protocol detection. More... | |
| void | AppLayerRequestProtocolTLSUpgrade (Flow *f) |
| request applayer to wrap up this protocol and rerun protocol detection with expectation of TLS. Used by STARTTLS. More... | |
| int | AppLayerProtoDetectDeSetup (void) |
| Cleans up the app layer protocol detection phase. More... | |
| void | AppLayerProtoDetectRegisterProtocol (AppProto alproto, const char *alproto_name) |
| Registers a protocol for protocol detection phase. More... | |
| int | AppLayerProtoDetectConfProtoDetectionEnabled (const char *ipproto, const char *alproto) |
| Given a protocol name, checks if proto detection is enabled in the conf file. More... | |
| AppLayerProtoDetectThreadCtx * | AppLayerProtoDetectGetCtxThread (void) |
| Inits and returns an app layer protocol detection thread context. More... | |
| void | AppLayerProtoDetectDestroyCtxThread (AppLayerProtoDetectThreadCtx *tctx) |
| Destroys the app layer protocol detection thread context. More... | |
| void | AppLayerProtoDetectSupportedIpprotos (AppProto alproto, uint8_t *ipprotos) |
| AppProto | AppLayerProtoDetectGetProtoByName (const char *alproto_name) |
| const char * | AppLayerProtoDetectGetProtoName (AppProto alproto) |
| void | AppLayerProtoDetectSupportedAppProtocols (AppProto *alprotos) |
| void | AppLayerRegisterExpectationProto (uint8_t proto, AppProto alproto) |
| void | AppLayerProtoDetectUnittestCtxBackup (void) |
| Backs up the internal context used by the app layer proto detection module. More... | |
| void | AppLayerProtoDetectUnittestCtxRestore (void) |
| Restores back the internal context used by the app layer proto detection module, that was previously backed up by calling AppLayerProtoDetectUnittestCtxBackup(). More... | |
| void | AppLayerProtoDetectUnittestsRegister (void) |
| Register unittests for app layer proto detection module. More... | |
Definition in file app-layer-detect-proto.h.
| typedef struct AppLayerProtoDetectThreadCtx_ AppLayerProtoDetectThreadCtx |
Definition at line 28 of file app-layer-detect-proto.h.
Definition at line 30 of file app-layer-detect-proto.h.
| int AppLayerProtoDetectConfProtoDetectionEnabled | ( | const char * | ipproto, |
| const char * | alproto | ||
| ) |
Given a protocol name, checks if proto detection is enabled in the conf file.
| alproto | Name of the app layer protocol. |
| 1 | If enabled. |
| 0 | If disabled. |
Definition at line 1738 of file app-layer-detect-proto.c.
References BUG_ON, ConfGetNode(), ConfValIsFalse(), ConfValIsTrue(), RunmodeIsUnittests(), SC_ERR_FATAL, SCEnter, SCLogDebug, SCLogError, SCReturnInt, and ConfNode_::val.
Referenced by AppLayerParserRegisterProtocolParsers(), HTPFreeConfig(), RegisterDCERPCParsers(), RegisterDCERPCUDPParsers(), RegisterDNP3Parsers(), RegisterDNSTCPParsers(), RegisterDNSUDPParsers(), RegisterENIPTCPParsers(), RegisterENIPUDPParsers(), RegisterFTPParsers(), RegisterHTPParsers(), RegisterModbusParsers(), RegisterNFSTCPParsers(), RegisterNFSUDPParsers(), RegisterSMB2Parsers(), RegisterSMBParsers(), RegisterSMTPParsers(), RegisterSSHParsers(), RegisterSSLParsers(), RegisterTemplateParsers(), and RegisterTFTPParsers().
| int AppLayerProtoDetectDeSetup | ( | void | ) |
Cleans up the app layer protocol detection phase.
Definition at line 1646 of file app-layer-detect-proto.c.
References AppLayerProtoDetectCtx_::ctx_ipp, AppLayerProtoDetectCtxIpproto_::ctx_pm, AppLayerProtoDetectCtx_::ctx_pp, MpmTableElmt_::DestroyCtx, FLOW_PROTO_DEFAULT, AppLayerProtoDetectPMCtx_::map, AppLayerProtoDetectPMCtx_::max_sig_id, AppLayerProtoDetectPMCtx_::mpm_ctx, mpm_table, MpmCtx_::mpm_type, PatIntId, SCEnter, SCReturnInt, AppLayerProtoDetectCtx_::spm_global_thread_ctx, and SpmDestroyGlobalThreadCtx().
Referenced by AppLayerDeSetup(), AppLayerProtoDetectUnittestCtxRestore(), and RegisterSMBParsers().
| void AppLayerProtoDetectDestroyCtxThread | ( | AppLayerProtoDetectThreadCtx * | tctx | ) |
Destroys the app layer protocol detection thread context.
| tctx | Pointer to the app layer protocol detection thread context. |
Definition at line 1860 of file app-layer-detect-proto.c.
References AppLayerProtoDetectCtx_::ctx_ipp, AppLayerProtoDetectCtxIpproto_::ctx_pm, MpmTableElmt_::DestroyThreadCtx, FLOW_PROTO_DEFAULT, AppLayerProtoDetectPMCtx_::mpm_ctx, mpm_table, AppLayerProtoDetectThreadCtx_::mpm_tctx, MpmCtx_::mpm_type, AppLayerProtoDetectThreadCtx_::pmq, PmqFree(), SCEnter, SCFree, SCReturn, AppLayerProtoDetectThreadCtx_::spm_thread_ctx, and SpmDestroyThreadCtx().
Referenced by AppLayerDestroyCtxThread(), AppLayerProtoDetectGetCtxThread(), AppLayerProtoDetectUnittestCtxRestore(), and RegisterSMBParsers().
| AppLayerProtoDetectThreadCtx* AppLayerProtoDetectGetCtxThread | ( | void | ) |
Inits and returns an app layer protocol detection thread context.
| ctx | Pointer to the app layer protocol detection context. |
| Pointer | to the thread context, on success; NULL, on failure. |
Definition at line 1806 of file app-layer-detect-proto.c.
References AppLayerProtoDetectDestroyCtxThread(), AppLayerProtoDetectCtx_::ctx_ipp, AppLayerProtoDetectCtxIpproto_::ctx_pm, FLOW_PROTO_DEFAULT, MpmTableElmt_::InitThreadCtx, AppLayerProtoDetectPMCtx_::max_pat_id, AppLayerProtoDetectPMCtx_::mpm_ctx, mpm_table, AppLayerProtoDetectThreadCtx_::mpm_tctx, MpmCtx_::mpm_type, PatIntId, AppLayerProtoDetectThreadCtx_::pmq, PmqSetup(), SCEnter, SCMalloc, SCReturnPtr, AppLayerProtoDetectCtx_::spm_global_thread_ctx, AppLayerProtoDetectThreadCtx_::spm_thread_ctx, and SpmMakeThreadCtx().
Referenced by AppLayerGetCtxThread(), AppLayerProtoDetectUnittestCtxRestore(), and RegisterSMBParsers().
| AppProto AppLayerProtoDetectGetProto | ( | AppLayerProtoDetectThreadCtx * | tctx, |
| Flow * | f, | ||
| uint8_t * | buf, | ||
| uint32_t | buflen, | ||
| uint8_t | ipproto, | ||
| uint8_t | direction | ||
| ) |
Returns the app layer protocol given a buffer.
| tctx | Pointer to the app layer protocol detection thread context. |
| f | Pointer to the flow. |
| buf | The buffer to be inspected. |
| buflen | The length of the above buffer. |
| ipproto | The ip protocol. |
| direction | The direction bitfield - STREAM_TOSERVER/STREAM_TOCLIENT. |
| The | app layer protocol. |
Definition at line 1354 of file app-layer-detect-proto.c.
References AppLayerProtoDetectProbingParserElement_::alproto, ALPROTO_DCERPC, ALPROTO_MAX, ALPROTO_UNKNOWN, FLOW_IS_PE_DONE, FLOW_IS_PM_DONE, FLOW_IS_PP_DONE, AppLayerProtoDetectProbingParser_::next, SCEnter, SCLogDebug, SCReturn, and SCReturnUInt.
Referenced by AppLayerHandleUdp(), AppLayerIncTxCounter(), and RegisterSMBParsers().
| AppProto AppLayerProtoDetectGetProtoByName | ( | const char * | alproto_name | ) |
Definition at line 1897 of file app-layer-detect-proto.c.
References ALPROTO_MAX, AppLayerProtoDetectCtx_::alproto_names, ALPROTO_UNKNOWN, SCEnter, SCMemcmp, and SCReturnCT.
Referenced by AppLayerGetProtoByName().
| const char* AppLayerProtoDetectGetProtoName | ( | AppProto | alproto | ) |
Definition at line 1914 of file app-layer-detect-proto.c.
References AppLayerProtoDetectProbingParserElement_::alproto, and AppLayerProtoDetectCtx_::alproto_names.
Referenced by AppLayerGetProtoName().
| int AppLayerProtoDetectPMRegisterPatternCI | ( | uint8_t | ipproto, |
| AppProto | alproto, | ||
| const char * | pattern, | ||
| uint16_t | depth, | ||
| uint16_t | offset, | ||
| uint8_t | direction | ||
| ) |
Registers a case-insensitive pattern for protocol detection.
Definition at line 1598 of file app-layer-detect-proto.c.
References SCEnter, and SCReturnInt.
Referenced by AppLayerHtpPrintStats(), and SMTPStateAlloc().
| int AppLayerProtoDetectPMRegisterPatternCS | ( | uint8_t | ipproto, |
| AppProto | alproto, | ||
| const char * | pattern, | ||
| uint16_t | depth, | ||
| uint16_t | offset, | ||
| uint8_t | direction | ||
| ) |
Registers a case-sensitive pattern for protocol detection.
Definition at line 1583 of file app-layer-detect-proto.c.
References SCEnter, and SCReturnInt.
Referenced by AppLayerParserRegisterProtocolParsers(), AppLayerProtoDetectUnittestCtxRestore(), DCERPCCleanup(), RegisterSMBParsers(), and SSLVersionToString().
| int AppLayerProtoDetectPPParseConfPorts | ( | const char * | ipproto_name, |
| uint8_t | ipproto, | ||
| const char * | alproto_name, | ||
| AppProto | alproto, | ||
| uint16_t | min_depth, | ||
| uint16_t | max_depth, | ||
| ProbingParserFPtr | ProbingParserTs, | ||
| ProbingParserFPtr | ProbingParserTc | ||
| ) |
| bool | 0 if no config was found, 1 if config was found |
Definition at line 1505 of file app-layer-detect-proto.c.
References AppLayerProtoDetectPPRegister(), ConfGetNode(), ConfNodeLookupChild(), SC_ERR_FATAL, SCEnter, SCLogDebug, SCLogError, SCReturnInt, STREAM_TOCLIENT, and ConfNode_::val.
Referenced by AppLayerRegisterProtocolDetection(), RegisterDNP3Parsers(), RegisterDNSTCPParsers(), RegisterDNSUDPParsers(), RegisterENIPTCPParsers(), RegisterENIPUDPParsers(), RegisterModbusParsers(), RegisterNFSTCPParsers(), RegisterNFSUDPParsers(), RegisterSMBParsers(), RegisterSSLParsers(), RegisterTemplateParsers(), and RegisterTFTPParsers().
| void AppLayerProtoDetectPPRegister | ( | uint8_t | ipproto, |
| const char * | portstr, | ||
| AppProto | alproto, | ||
| uint16_t | min_depth, | ||
| uint16_t | max_depth, | ||
| uint8_t | direction, | ||
| ProbingParserFPtr | ProbingParser1, | ||
| ProbingParserFPtr | ProbingParser2 | ||
| ) |
register parser at a port
| direction | STREAM_TOSERVER or STREAM_TOCLIENT for dp or sp |
Definition at line 1471 of file app-layer-detect-proto.c.
References AppLayerProtoDetectCtx_::ctx_pp, DetectPortCleanupList(), DetectPortParse(), head, DetectPort_::next, DetectPort_::port, DetectPort_::port2, SCEnter, and SCReturn.
Referenced by AppLayerProtoDetectPPParseConfPorts(), AppLayerRegisterProtocolDetection(), RegisterDNP3Parsers(), RegisterDNSTCPParsers(), RegisterDNSUDPParsers(), RegisterENIPTCPParsers(), RegisterENIPUDPParsers(), RegisterModbusParsers(), RegisterNFSTCPParsers(), RegisterNFSUDPParsers(), RegisterSMBParsers(), RegisterSSLParsers(), RegisterTemplateParsers(), and RegisterTFTPParsers().
| int AppLayerProtoDetectPrepareState | ( | void | ) |
Prepares the internal state for protocol detection. This needs to be called once all the patterns and probing parser ports have been registered.
Definition at line 1427 of file app-layer-detect-proto.c.
References AppLayerProtoDetectCtx_::ctx_ipp, AppLayerProtoDetectCtxIpproto_::ctx_pm, AppLayerProtoDetectCtx_::ctx_pp, FLOW_PROTO_DEFAULT, AppLayerProtoDetectPMCtx_::max_sig_id, SCEnter, SCLogDebugEnabled(), and SCReturnInt.
Referenced by AppLayerProtoDetectUnittestCtxRestore(), AppLayerSetup(), and RegisterSMBParsers().
| void AppLayerProtoDetectRegisterProtocol | ( | AppProto | alproto, |
| const char * | alproto_name | ||
| ) |
Registers a protocol for protocol detection phase.
This is the first function to be called after calling the setup function, AppLayerProtoDetectSetup(), before calling any other app layer functions, AppLayerParser or AppLayerProtoDetect, alike. With this function you are associating/registering a string that can be used by users to write rules, i.e. you register the http protocol for protocol detection using AppLayerProtoDetectRegisterProtocol(ctx, ALPROTO_HTTP, "http"), following which you can write rules like - alert http any any -> any any (sid:1;) which basically matches on the HTTP protocol.
| alproto | The protocol. |
| alproto_str | The string to associate with the above "alproto". Please send a static string that won't be destroyed post making this call, since this function won't create a copy of the received argument. |
| 0 | On success; -1 On failure. |
Definition at line 1674 of file app-layer-detect-proto.c.
References AppLayerProtoDetectProbingParserElement_::alproto, AppLayerProtoDetectCtx_::alproto_names, SCEnter, and SCReturn.
Referenced by AppLayerParserRegisterProtocolParsers(), AppLayerRegisterProtocolDetection(), RegisterDCERPCParsers(), RegisterDCERPCUDPParsers(), RegisterDNP3Parsers(), RegisterDNSTCPParsers(), RegisterDNSUDPParsers(), RegisterENIPTCPParsers(), RegisterENIPUDPParsers(), RegisterFTPParsers(), RegisterHTPParsers(), RegisterModbusParsers(), RegisterNFSTCPParsers(), RegisterNFSUDPParsers(), RegisterSMBParsers(), RegisterSMTPParsers(), RegisterSSHParsers(), RegisterSSLParsers(), RegisterTemplateParsers(), and RegisterTFTPParsers().
| void AppLayerProtoDetectReset | ( | Flow * | ) |
Reset proto detect for flow.
Definition at line 1718 of file app-layer-detect-proto.c.
References Flow_::alparser, Flow_::alproto, Flow_::alproto_tc, Flow_::alproto_ts, ALPROTO_UNKNOWN, Flow_::alstate, AppLayerParserStateCleanup(), FLOW_RESET_PE_DONE, FLOW_RESET_PM_DONE, FLOW_RESET_PP_DONE, FlowUnsetChangeProtoFlag(), Flow_::probing_parser_toclient_alproto_masks, Flow_::probing_parser_toserver_alproto_masks, and STREAM_TOCLIENT.
Referenced by AppLayerHandleTCPData().
| int AppLayerProtoDetectSetup | ( | void | ) |
The first function to be called. This initializes a global protocol detection context.
| 0 | On succcess; |
| -1 | On failure. |
Definition at line 1615 of file app-layer-detect-proto.c.
References AppLayerExpectationSetup(), AppLayerProtoDetectCtx_::ctx_ipp, AppLayerProtoDetectCtxIpproto_::ctx_pm, FLOW_PROTO_DEFAULT, AppLayerProtoDetectPMCtx_::mpm_ctx, MpmInitCtx(), PatternMatchDefaultMatcher(), SC_ERR_FATAL, SCEnter, SCLogError, SCReturnInt, SinglePatternMatchDefaultMatcher(), AppLayerProtoDetectCtx_::spm_global_thread_ctx, and SpmInitGlobalThreadCtx().
Referenced by AppLayerProtoDetectUnittestCtxRestore(), AppLayerSetup(), RegisterAllModules(), and RegisterSMBParsers().
| void AppLayerProtoDetectSupportedAppProtocols | ( | AppProto * | alprotos | ) |
Definition at line 1919 of file app-layer-detect-proto.c.
References AppLayerProtoDetectProbingParserElement_::alproto, ALPROTO_MAX, AppLayerProtoDetectCtx_::alproto_names, SCEnter, and SCReturn.
Referenced by AppLayerListSupportedProtocols(), AppLayerRegisterThreadCounters(), and AppLayerSetupCounters().
| void AppLayerProtoDetectSupportedIpprotos | ( | AppProto | alproto, |
| uint8_t * | ipprotos | ||
| ) |
Definition at line 1886 of file app-layer-detect-proto.c.
References SCEnter, and SCReturn.
Referenced by SigMatchList2DataArray(), and SigMatchListSMBelongsTo().
| void AppLayerProtoDetectUnittestCtxBackup | ( | void | ) |
Backs up the internal context used by the app layer proto detection module.
Definition at line 1967 of file app-layer-detect-proto.c.
References SCEnter, and SCReturn.
Referenced by AppLayerProtoDetectUnittestCtxRestore(), and RegisterSMBParsers().
| void AppLayerProtoDetectUnittestCtxRestore | ( | void | ) |
Restores back the internal context used by the app layer proto detection module, that was previously backed up by calling AppLayerProtoDetectUnittestCtxBackup().
Definition at line 1975 of file app-layer-detect-proto.c.
References AppLayerProtoDetectPMSignature_::alproto, ALPROTO_DCERPC, ALPROTO_FTP, ALPROTO_HTTP, ALPROTO_MAX, ALPROTO_SMB, ALPROTO_SMB2, AppLayerProtoDetectDeSetup(), AppLayerProtoDetectDestroyCtxThread(), AppLayerProtoDetectGetCtxThread(), AppLayerProtoDetectPMRegisterPatternCS(), AppLayerProtoDetectPrepareState(), AppLayerProtoDetectSetup(), AppLayerProtoDetectUnittestCtxBackup(), AppLayerProtoDetectUnittestCtxRestore(), AppLayerProtoDetectPMSignature_::cd, AppLayerProtoDetectCtx_::ctx_ipp, AppLayerProtoDetectCtxIpproto_::ctx_pm, FLOW_PROTO_TCP, FLOW_PROTO_UDP, FlowGetProtoMapping(), AppLayerProtoDetectPMCtx_::head, DetectContentData_::id, AppLayerProtoDetectPMCtx_::map, AppLayerProtoDetectPMCtx_::max_pat_id, AppLayerProtoDetectPMSignature_::next, Flow_::protomap, SCEnter, SCReturn, and STREAM_TOCLIENT.
Referenced by AppLayerProtoDetectUnittestCtxRestore(), and RegisterSMBParsers().
| void AppLayerProtoDetectUnittestsRegister | ( | void | ) |
Register unittests for app layer proto detection module.
Definition at line 3831 of file app-layer-detect-proto.c.
References SCEnter, SCReturn, and UtRegisterTest().
| void AppLayerRegisterExpectationProto | ( | uint8_t | proto, |
| AppProto | alproto | ||
| ) |
Definition at line 1948 of file app-layer-detect-proto.c.
References AppLayerProtoDetectProbingParserElement_::alproto, proto, SC_ERR_NOT_SUPPORTED, and SCLogError.
Referenced by RegisterFTPParsers().
request applayer to wrap up this protocol and rerun protocol detection.
When this is called, the old session is reset unconditionally. A 'detect/log' flush packet is generated for both direction before the reset, so allow for final detection and logging.
| f | flow to act on |
| dp | destination port to use in protocol detection. Set to 443 for start tls, set to the HTTP uri port for CONNECT and set to 0 to not use it. |
| expect_proto | expected protocol. AppLayer event will be set if detected protocol differs from this. |
Definition at line 1698 of file app-layer-detect-proto.c.
References Flow_::alproto_expect, FlowSetChangeProtoFlag(), and Flow_::protodetect_dp.
Referenced by AppLayerRequestProtocolTLSUpgrade(), and HTPFreeConfig().
| void AppLayerRequestProtocolTLSUpgrade | ( | Flow * | f | ) |
request applayer to wrap up this protocol and rerun protocol detection with expectation of TLS. Used by STARTTLS.
Sets detection port to 443 to make port based TLS detection work for SMTP, FTP etc as well.
| f | flow to act on |
Definition at line 1713 of file app-layer-detect-proto.c.
References ALPROTO_TLS, and AppLayerRequestProtocolChange().
Referenced by SMTPProcessDataChunk().
1.8.11 
